Hi All, We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius connects over ldap to IPA. In order to do the challange-response thing, freeipa has AllowNTHash enabled. So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth. In the moment I disallow Password auth for a user and enable OTP the wifi auth stopps working, but the hash clearly stays in ldap. The goal is to stay with password on freeradius but for everything else: kerberos/sssd related use password+code. How can I disable password login for user but still make freeradius work with ldap, so when it asks for users hash it gets one. Freeradius ldap mod snippet: "base_dn = "cn=users,cn=accounts,dc=cs,dc=com"" Thank You -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project